Search This Blog

This OpenSSL Flaw Could Lead to Remote Code Execution

This issue was reported to OpenSSL on June 22, 2022, by Xi Ruoyao, who also developed the fix.

 

A high-severity vulnerability in OpenSSL might allow a hostile actor to execute the malware on server-side devices. 

OpenSSL is a widely used encryption library that provides an open source version of the SSL and TLS protocols. It offers tools for, among other things, creating RSA private keys and performing encryption and decryption.  

An alert indicates that the OpenSSL 3.0.4 version introduced a "serious bug" in the RSA implementation for X86 64 CPUs supporting the AVX512IFMA instructions. Because of this flaw (CVE-2022-2274), the RSA implementation with 2048-bit private keys is incorrect, resulting in memory corruption during the computation. 

As a result of the memory corruption, an attacker may be able to perform RCE on the system performing the computation, OpenSSL maintainers said. On June 22, 2022, Xi Ruoyao, who also built the patch, reported this problem to OpenSSL. 

This problem affects SSL/TLS servers and other servers that use 2048-bit RSA private keys and operate on computers that implement AVX512IFMA instructions of the X86 64 architecture. 

“On a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment,” the advisory reads. 

Users using OpenSSL 3.0.4 should update to OpenSSL 3.0.5. This problem does not affect OpenSSL 1.1.1 or 1.0.2.
Share it:

Bugs

Flaws

Open SSL

Private Keys

RCE Flaw

Vulnerabilities and Exploits